RETURN jump missing in iptables userchain – what happens?

Karma Fusebox asked:

I am quite unable to find out what the consequences of a missing RETURN-rule at the end of user-defined iptables chains are. Obviously “iptables [missing] return [jump]” are really, really bad keywords to look for.

The manpage and any blog or howto I could dig up just tell me what -j RETURN does (which is quite obvious) but not what happens if it is missing. Also, I cannot seem to set up sane experimental rules to try it out…

iptables -N userchainA
iptables -A INPUT -j userchainA
iptables -N userchainB
iptables -A INPUT -j userchainB
iptables -A INPUT -j ACCEPT

iptables -A userchainA ... # anything here, that DOES NOT MATCH
#### no explicit return from userchainA!

iptables -A userchainB ... # anything here, that DOES NOT MATCH
iptables -A userchainB -j RETURN 

Given these rules, anything works just fine. Packets travel through all the chains and finally hit the ACCEPT from INPUT as if the (missing) -j RETURN from userchainA would be done implicitly. Is this the case?

Why is this working? I would have expected some kind of error or at least a log message about execution falling of a chain.

My answer:

When iptables reaches the end of a user-defined chain, flow returns to the next rule in the calling chain. The RETURN is therefore implicit; it does not need to be explicitly given.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.